Endpoint Standard: Known Script Interpreters Are Blocked Until Added to Approved List
search cancel

Endpoint Standard: Known Script Interpreters Are Blocked Until Added to Approved List

book

Article ID: 285067

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

  • Alert reason calls out script interpreter (Powershell.exe and others, as <process_name> below) for running a script (<script_name> below) that attempted execution of known malware 
    The application <process_name> ran a script <script_name> that attempted to execute known malware. This script performs highly suspicious process injection behavior.  A Deny policy action was applied.
  • Alert reason seen multiple times across multiple devices with Group Alerts turned on 
    Seen ### times on ## devices
  • Tactics, Techniques, and Procedures (TTPs) include 
    HAS_SUSPECT_CODE, INJECT_CODE, MODIFY_MEMORY_PROTECTION, PACKED_CALL, POLICY_DENY, mitre_t1055_process_inject
  • Search for alert_id and reason_code returns result 
    alert_id:<alert_id> AND reason_code:78F50A65\-EC30\-4A20\-8328\-A523BDA82217\:11F960B7\-AEDA\-4748\-A9BD\-2E5650E9B780
  • On-disk SHA256 hash for script and/or script interpreter has not been added to Company Approved List

Environment

  • Carbon Black Cloud Console: All Versions
    • Endpoint Standard (required, other products may also be present)
  • Carbon Black Cloud Sensor: 3.6.x.x and Higher
  • Microsoft Windows: All Supported Versions

Cause

Dynamic Rules Engine (DRE) block to prevent highly suspect fileless process injection techniques, backed by a script file, from being executed by binaries not on Company Approved List

Resolution

  1. Upgrade impacted Sensors to 3.7.0.1253 or higher
  2. Go to Alerts page, turn Group Alerts On, and search for reason_code below 
    reason_code:78F50A65\-EC30\-4A20\-8328\-A523BDA82217\:11F960B7\-AEDA\-4748\-A9BD\-2E5650E9B780
  3. Add search for list of TTPs 
     AND ttp:(HAS_SUSPECT_CODE AND INJECT_CODE AND MODIFY_MEMORY_PROTECTION AND PACKED_CALL AND POLICY_DENY AND mitre_t1055_process_inject)
  4. Add search to verify reputation is NOT Company Approved 
     AND -threat_cause_reputation:COMPANY_WHITE_LIST
  5. Select an alert_id which meets above criteria and go to Alert Triage page in new browser tab 
    Note: searching for specific alert_id can also be added, if desired
 AND alert_id:<alert_id>
  6. Scroll to bottom of Alert Triage and expand Event with block on script noted from Alerts page
  7. Copy SHA256 hash of script (either Process or Target)
  8. Go to Enforce > Reputations and add hash to Company Approved List
  9. Repeat steps 5-8 for additional target hashes as needed
  10. If Blocking Alerts tied to reason_code above are still observed, add SHA256 of script interpreter to Company Approved List

Additional Information

  • Resolution via hash approval requires Sensor 3.7.0.1253 or higher
  • EEDR customer can verify the Hash using this KB, sometimes an in-memory hash will be shown in the alert instead of the actual hash.
  • If the problem remains, please open a case with Carbon Black Technical Support and provide details 
    Org Key
Alert ID prior to approving Target SHA256
Process/Script Interpreter Name and SHA256
Target/Script Name and SHA256
Alert ID after approving Target SHA256
  • Support will review logs for an impacted device to propose one of two remaining Permissions rule options
    • [Applications at path <parent_process>] [Performs any operation] [Bypass] also sometimes referred to as a Full bypass rule
    • [Applications at path <parent_process>] [Performs any API operation] [Bypass] also sometimes referred to as an API bypass rule
Powered by Wolken Software